Practice Free CISA Exam Online Questions
Question #271
Which of the following is the MOST important consideration when implementing a Zero Trust strategy for mobile, wireless, and Internet of Things (IoT) devices?
- A . Ensuring the latest firmware updates are applied regularly to all devices
- B . Validating the identity of all devices and users before granting access to resources
- C . Focusing on user training and awareness to prevent phishing attacks
- D . Implementing strong encryption protocols for data in transit and at rest
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Step-by-Step
Zero Trust is based on the principle of "never trust, always verify," making identity validation the most critical aspect.
Option A (Incorrect): Firmware updates are important for security but are only one part of a Zero Trust approach.
Option B (Correct): Device and user identity validation ensures that only authorized entities can access critical resources, reducing the risk of unauthorized access.
Option C (Incorrect): User awareness is important but does not enforce access control, which is fundamental to Zero Trust.
Option D (Incorrect): Encryption secures data but does not control who can access resources, which is the primary focus of Zero Trust.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers Zero Trust security models and access control best practices.
B
Explanation:
Comprehensive and Detailed Step-by-Step
Zero Trust is based on the principle of "never trust, always verify," making identity validation the most critical aspect.
Option A (Incorrect): Firmware updates are important for security but are only one part of a Zero Trust approach.
Option B (Correct): Device and user identity validation ensures that only authorized entities can access critical resources, reducing the risk of unauthorized access.
Option C (Incorrect): User awareness is important but does not enforce access control, which is fundamental to Zero Trust.
Option D (Incorrect): Encryption secures data but does not control who can access resources, which is the primary focus of Zero Trust.
Reference: ISACA CISA Review Manual C Domain 5: Protection of Information Assets C Covers Zero Trust security models and access control best practices.
Question #272
Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?
- A . A high percentage of stakeholders satisfied with the quality of IT
- B . A high percentage of IT processes reviewed by quality assurance (QA)
- C . A high percentage of incidents being quickly resolved
- D . A high percentage of IT employees attending quality training
Correct Answer: A
Question #273
An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users’ computers.
Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
- A . An imaging process was used to obtain a copy of the data from each computer.
- B . The legal department has not been engaged.
- C . The chain of custody has not been documented.
- D . Audit was only involved during extraction of the Information
Correct Answer: C
C
Explanation:
The chain of custody has not been documented is a finding that should be of greatest concern for an IS auditor reviewing a forensic analysis process of an organization that has suffered a cyber attack. The chain of custody is a record of who handled, accessed, or modified the evidence during a forensic investigation. Documenting the chain of custody is essential to preserve the integrity, authenticity, and admissibility of the evidence in a court of law. The other options are less concerning findings that may not affect the validity or reliability of the forensic analysis process.
References:
CISA Review Manual (Digital Version), Chapter 7, Section 7.51
CISA Review Questions, Answers & Explanations Database, Question ID 220
C
Explanation:
The chain of custody has not been documented is a finding that should be of greatest concern for an IS auditor reviewing a forensic analysis process of an organization that has suffered a cyber attack. The chain of custody is a record of who handled, accessed, or modified the evidence during a forensic investigation. Documenting the chain of custody is essential to preserve the integrity, authenticity, and admissibility of the evidence in a court of law. The other options are less concerning findings that may not affect the validity or reliability of the forensic analysis process.
References:
CISA Review Manual (Digital Version), Chapter 7, Section 7.51
CISA Review Questions, Answers & Explanations Database, Question ID 220
Question #274
Which of the following is a PRIMARY function of an intrusion detection system (IDS)?
- A . Predicting an attack before it occurs
- B . Alerting when a scheduled backup job fails
- C . Blocking malicious network traffic
- D . Warning when executable programs are modified
Correct Answer: D
Question #275
Which of the following is me GREATE ST impact as a result of the ongoing deterioration of a detective control?
- A . Increased number of false negatives in security logs
- B . Decreased effectiveness of roof cause analysis
- C . Decreased overall recovery time
- D . Increased demand for storage space for logs
Correct Answer: A
A
Explanation:
The greatest impact as a result of the ongoing deterioration of a detective control is an increased number of false negatives in security logs. A detective control is a control that monitors and identifies any deviations or anomalies from the expected or normal behavior or performance of a system or process. A security log is a record of events or activities that occur within a system or network, such as user access, file changes, system errors, or security incidents. A false negative is a situation where a security log fails to detect or report an actual deviation or anomaly that has occurred, such as an unauthorized access, a malicious modification, or a security breach. An increased number of false negatives in security logs can have a significant impact on the organization’s security posture and risk management, because it can prevent timely detection and response to security threats, compromise the accuracy and reliability of security monitoring and reporting, and undermine the accountability and auditability of user actions and transactions. The other options are not as impactful as an increased number of false negatives in security logs, because they either do not affect the detection capability of a detective control, or they have less severe consequences for security management.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.1
A
Explanation:
The greatest impact as a result of the ongoing deterioration of a detective control is an increased number of false negatives in security logs. A detective control is a control that monitors and identifies any deviations or anomalies from the expected or normal behavior or performance of a system or process. A security log is a record of events or activities that occur within a system or network, such as user access, file changes, system errors, or security incidents. A false negative is a situation where a security log fails to detect or report an actual deviation or anomaly that has occurred, such as an unauthorized access, a malicious modification, or a security breach. An increased number of false negatives in security logs can have a significant impact on the organization’s security posture and risk management, because it can prevent timely detection and response to security threats, compromise the accuracy and reliability of security monitoring and reporting, and undermine the accountability and auditability of user actions and transactions. The other options are not as impactful as an increased number of false negatives in security logs, because they either do not affect the detection capability of a detective control, or they have less severe consequences for security management.
References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.1
Question #276
Which of the following is the PRIMARY role of the IS auditor m an organization’s information classification process?
- A . Securing information assets in accordance with the classification assigned
- B . Validating that assets are protected according to assigned classification
- C . Ensuring classification levels align with regulatory guidelines
- D . Defining classification levels for information assets within the organization
Correct Answer: B
B
Explanation:
Validating that assets are protected according to assigned classification is the primary role of the IS auditor in an organization’s information classification process. An IS auditor should evaluate whether the information security controls are adequate and effective in safeguarding the information assets based on their classification levels. The other options are not the primary role of the IS auditor, but rather the responsibilities of the information owners, custodians, or security managers.
References:
CISA Review Manual (Digital Version), Chapter 6, Section 6.2.31
CISA Review Questions, Answers & Explanations Database, Question ID 206
B
Explanation:
Validating that assets are protected according to assigned classification is the primary role of the IS auditor in an organization’s information classification process. An IS auditor should evaluate whether the information security controls are adequate and effective in safeguarding the information assets based on their classification levels. The other options are not the primary role of the IS auditor, but rather the responsibilities of the information owners, custodians, or security managers.
References:
CISA Review Manual (Digital Version), Chapter 6, Section 6.2.31
CISA Review Questions, Answers & Explanations Database, Question ID 206
Question #277
An organization’s business continuity plan (BCP) should be:
- A . updated before an independent audit review.
- B . tested after an intrusion attempt into the organization’s hot site.
- C . tested whenever new applications are implemented.
- D . updated based on changes to personnel and environments.
Correct Answer: D
D
Explanation:
A BCP must stay current with organizational changes to ensure its effectiveness during a disruption. Personnel changes and environmental updates are directly relevant to how the BCP would be executed.
References
ISACA CISA Review Manual (Current Edition) – Chapter on Business Continuity and Disaster Recovery
Industry Standards (e.g., ISO 22301, NIST SP 800-34) – Guidelines for maintaining and updating a Business Continuity Plan
D
Explanation:
A BCP must stay current with organizational changes to ensure its effectiveness during a disruption. Personnel changes and environmental updates are directly relevant to how the BCP would be executed.
References
ISACA CISA Review Manual (Current Edition) – Chapter on Business Continuity and Disaster Recovery
Industry Standards (e.g., ISO 22301, NIST SP 800-34) – Guidelines for maintaining and updating a Business Continuity Plan
Question #278
An IS auditor has learned that access privileges are not periodically reviewed or updated.
Which of the following would provide the BEST evidence to determine whether transactions have been executed by authorized employees?
- A . Audit trails
- B . Control totals
- C . Reconciliations
- D . Change logs
Correct Answer: A
A
Explanation:
The best evidence to determine whether transactions have been executed by authorized employees is audit trails. Audit trails are secure records that catalog events or procedures to provide support documentation. They are used to authenticate security and operational actions, mitigate challenges, or provide proof of compliance and operational integrity2.
Audit trails can track and trace the following information related to transactions:
Who initiated, approved, modified, or deleted a transaction
When a transaction occurred (date and time)
Where a transaction took place (location or device)
What type of transaction was performed (action or operation)
Why a transaction was executed (purpose or reason)
By analyzing audit trails, an IS auditor can verify whether transactions have been executed by authorized employees or not. Audit trails can also identify any unauthorized, fraudulent, or erroneous transactions that may have occurred. Audit trails can also help to resolve any disputes or discrepancies that may arise from transactions.
References:
What Is an Audit Trail? Everything You Need to Know
A
Explanation:
The best evidence to determine whether transactions have been executed by authorized employees is audit trails. Audit trails are secure records that catalog events or procedures to provide support documentation. They are used to authenticate security and operational actions, mitigate challenges, or provide proof of compliance and operational integrity2.
Audit trails can track and trace the following information related to transactions:
Who initiated, approved, modified, or deleted a transaction
When a transaction occurred (date and time)
Where a transaction took place (location or device)
What type of transaction was performed (action or operation)
Why a transaction was executed (purpose or reason)
By analyzing audit trails, an IS auditor can verify whether transactions have been executed by authorized employees or not. Audit trails can also identify any unauthorized, fraudulent, or erroneous transactions that may have occurred. Audit trails can also help to resolve any disputes or discrepancies that may arise from transactions.
References:
What Is an Audit Trail? Everything You Need to Know
Question #279
Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported.
Which of the following is the IS auditor’s BEST recommendation?
- A . Ensure corrected program code is compiled in a dedicated server.
- B . Ensure change management reports are independently reviewed.
- C . Ensure programmers cannot access code after the completion of program edits.
- D . Ensure the business signs off on end-to-end user acceptance test (UAT) results.
Correct Answer: C
C
Explanation:
The IS auditor’s best recommendation is to ensure that programmers cannot access code after the completion of program edits. This is because programmers who have access to code after editing may introduce unauthorized or malicious changes that could compromise the security, functionality, or performance of the application. By restricting access to code after editing, the organization can ensure that only authorized and tested code is released into production, and prevent any tampering or reoccurrence of the same issue.
References:
1 discusses the importance of controlling access to code after editing and testing, and provides some best practices for doing so.
2 explains how programmers can introduce malicious code into applications, and how to prevent and detect such attacks.
3 describes the role of IS auditors in reviewing and assessing the security and quality of application code.
C
Explanation:
The IS auditor’s best recommendation is to ensure that programmers cannot access code after the completion of program edits. This is because programmers who have access to code after editing may introduce unauthorized or malicious changes that could compromise the security, functionality, or performance of the application. By restricting access to code after editing, the organization can ensure that only authorized and tested code is released into production, and prevent any tampering or reoccurrence of the same issue.
References:
1 discusses the importance of controlling access to code after editing and testing, and provides some best practices for doing so.
2 explains how programmers can introduce malicious code into applications, and how to prevent and detect such attacks.
3 describes the role of IS auditors in reviewing and assessing the security and quality of application code.
Question #280
When conducting an audit of an organization’s use of AI in its customer service chatbots, an IS auditor should PRIMARILY focus on the:
- A . Safeguarding of personal data processing by the AI system.
- B . AI system’s compliance with industry security standards.
- C . Speed and accuracy of chatbot responses to customer queries.
- D . AI system’s ability to handle multiple customer queries at once.
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
The primary concern when auditing an AI-powered chatbot is ensuring the safeguarding of personal data to comply with privacy regulations such as GDPR, CCPA, and ISO 27701. AI chatbots process customer inquiries, often handling sensitive personal data.
Safeguarding of Personal Data (Correct Answer C A)
Ensures compliance with data protection laws.
Reduces the risk of unauthorized access or data leakage.
Example: An AI chatbot collecting customer financial information must follow encryption and access control policies.
Compliance with Industry Standards (Incorrect C B)
Important, but protecting customer data takes priority over general compliance.
Speed and Accuracy of Chatbot Responses (Incorrect C C)
A performance metric, but not a primary audit focus.
AI’s Ability to Handle Multiple Queries (Incorrect C D)
Efficiency metric, but does not address security risks.
References:
ISACA CISA Review Manual
ISO 27701 (Privacy Information Management System)
GDPR & CCPA Compliance Guidelines
A
Explanation:
Comprehensive and Detailed Step-by-Step
The primary concern when auditing an AI-powered chatbot is ensuring the safeguarding of personal data to comply with privacy regulations such as GDPR, CCPA, and ISO 27701. AI chatbots process customer inquiries, often handling sensitive personal data.
Safeguarding of Personal Data (Correct Answer C A)
Ensures compliance with data protection laws.
Reduces the risk of unauthorized access or data leakage.
Example: An AI chatbot collecting customer financial information must follow encryption and access control policies.
Compliance with Industry Standards (Incorrect C B)
Important, but protecting customer data takes priority over general compliance.
Speed and Accuracy of Chatbot Responses (Incorrect C C)
A performance metric, but not a primary audit focus.
AI’s Ability to Handle Multiple Queries (Incorrect C D)
Efficiency metric, but does not address security risks.
References:
ISACA CISA Review Manual
ISO 27701 (Privacy Information Management System)
GDPR & CCPA Compliance Guidelines